72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Analysis

max time kernel
48s

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

190821-b2h8n5wv9n
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 9 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~1\\MICROS~1\\Office14\\ONBttnIE.dll/105"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~1\\MICROS~1\\Office14\\EXCEL.EXE/3000"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"

HTTP(S) URI 1 TTPs 8 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ShortcutUrl = "http://www.msnusers.com"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\NewWDUrl = "http://r.office.microsoft.com/r/rlidNetworkPlaces?clid=1033&app=Office10&select=no"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ManageWDUrl = "http://r.office.microsoft.com/r/rlidManageNetworkPlaces?clid=1033"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbPutDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=put"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\SignupUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=manage&users="
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbGetEmailUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=getprefemail"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbGetDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=get&email="
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000\Software\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\InfoUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll"

Suspicious behavior: AddClipboardFormatListener
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious use of SetWindowsHookEx 1 TTPs
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 1 IoCs

description
C:\Windows\system32\spool\DRIVERS\x64\3\mxdwdui.BUD

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Modifies registry class 1 TTPs 280 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9} (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0 (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\ = "Microsoft Forms 2.0 Object Library"
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\FLAGS (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\FLAGS\ = "6"
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0 (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0\win32 (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\HELPDIR (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0 (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\ = "Microsoft Forms 2.0 Object Library"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\FLAGS (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\FLAGS\ = "6"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0 (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0\win32 (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\HELPDIR (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\TypeLib\{37F268D1-C555-4143-A5F5-4E64387424D9}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Word8.0"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F} (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-950826026-2020361684-1360728853-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Suspicious use of FindShellTrayWindow 1 TTPs

Process Injection
T1055
windows_cmd_obfuscation

process_martian 1 IoCs

description	pid
Parent 1968 is not expected to spawn this process	1968

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1968 wrote to memory of 1772	1772	Process not Found

windows_cmd_obfuscation

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1772 wrote to memory of 1936	1936	Process not Found

Loads dropped DLL 1 TTPs

Shared Modules
T1129
Uses Task Scheduler COM API 1 TTPs

Query Registry
T1012
powershell_downloader 1 TTPs

Suspicious use of AdjustPrivilegeToken 1 TTPs 1 IoCs

Access Token Manipulation

T1134

description
Token: SeDebugPrivilege

Suspicious behavior: EnumeratesProcesses
Loads dropped DLL 1 TTPs

Shared Modules
T1129
Loads dropped DLL 1 TTPs

Shared Modules
T1129

Analysis

Sharing

General

Malware Config

Signatures

Processes